The objective of the red teaming was to install the malware in the Bank’s network, create a back door and exfiltrate confidential data from the Bank. ABC bank provided no information prior to the exercise and agreed for 10-12 weeks’ time to conduct reconnaissance and perform red teaming in a true black-box approach.
Discovery & Initial Compromise:
All Public-facing applications/systems, customer-facing branches, public wifi’s, ATM’s, Dark web leaks, Employee information from social networking applications etc were identified and evaluated for potential weaknesses, as a part of information gathering.
In one of the Web applications, a contact form had a vulnerability that allowed us to send emails to known ABC bank employee email addresses through the contact form thus enabling us to send email from an internal server rather than an external entity. Since this form a trusted network email, and the origin of the email is not an external entity, our payload simply bypassed the sandbox engine & secure email gateway as they were configured only to check attachments and emails coming from external entities and not internal emails.
A second approach also got us success, where we had a phishing page hosted on a cloud VPS provider and the link shared with a few of the ABC bank employees. A spear-phishing campaign run across the employees’ email address gave us results where 1% of the targeted employees fell victim to this phishing page.
This further gave us sensitive information like their internal AD username and password.
Since ABC bank had Microsoft Exchange and 0365 sync enabled, we were able to take the AD username and password that we received in the earlier step and use it to successfully login to the portal. Since OTP was not enabled for all the users, we are able to compromise some of the employee email ids that fell victim to the phishing attack and thus successfully access the email accounts.
Since the email is directly connected to AD, we were able to perform further AD enumeration and brute force attacks to exploit more than 20% of the employee email accounts of ABC bank. Since again, the brute force attacks are originating from an internal server the security policies to restrict after 3 failed logins did not apply as they were configured only for logins from external devices.
The AD enumeration itself also gave us sensitive details like internal desk and mobile phone numbers of all employees of ABC bank.
All of the enumeration data were successfully exfiltrated after finding some whitelisted IPs of specific cloud service providers where we were able to purchase an account and upload all data to it.
Further Exploitation Attacks:
Since we compromised more than 20% of the email accounts of ABC bank, we were in a position to send emails as employees ( Impersonating bank employees ). We were able to differentiate Jr and Senior employees including management employees and were able to send emails to one of ABC bank’s branch security, to allow one of our security consultants into the branch environment citing IT work in one of the branch systems. Thus we were able to successfully infiltrate and access ABC bank’s branch system physically and launch further attacks on core banking applications locally. A custom malware was installed on one of the bank’s system and internal data was upload to our cloud servers from the bank’s system as POC in the end.